RED Cybersecurity Requirements FAQs

Article 3.3 (d). Radio equipment does not harm the network or its functioning nor misuse network resources, so it does not cause an unacceptable degradation of service.

Article 2, points (b) of Directive 2002/58/EC of the European Parliament and of the Council of July 12, 2002, concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on Privacy and Electronic Communications).

You can find the steps for how manufacturers should use the CE marking here.

You can find details on what’s considered personal data here.

The government intends to extend recognition of the CE marking for placing most goods on the market in Great Britain indefinitely beyond August 2025. These updates apply to the 18 regulations that fall under the Department for Business and Trade (DBT). More information can be found here.

Yes, you can secure an evaluation through a Notified Body or with a self-assessment against harmonized standards EN 18031-1, -2, and -3.

Per the CRA (30): “When the Commission repeals or amends Delegated Regulation (EU) 2022/30 [RED DA] with the consequence that it ceases to apply to certain products subject to this Regulation, the Commission and the European standardisation organisations should take into account the standardisation work carried out in the context of Implementing Decision C(2022) 5637 in the preparation and development of harmonised standards to facilitate the implementation of this Regulation. During the transitional period for the application of this Regulation, the Commission should provide guidance to manufacturers subject to this Regulation that are also subject to Delegated Regulation (EU) 2022/30 to facilitate the demonstration of compliance with the two Regulations.”

When defining the impacts of directly vs. indirectly connected devices in terms of RED Art. 3.3(d)(e)(f): 

• Article I of Article 3.3(d) of Directive 2014/53/EU shall apply to any radio equipment that can communicate itself over the internet, whether it communicates directly or via any other equipment (“internet-connected radio equipment”).
• The essential requirement set out in Article 3.3(e) applies to devices that are not internet-connected in cases where the device handles personally identifiable information (PII).

The RED applies to products classified as radio equipment in reference to typical communication equipment, such as radio transmitters and wireless phones as well as a wide range of products that integrate LoRaWAN, Wi-Fi, Bluetooth®, NFC, ZigBee, Z Wave and other wireless technologies in all kinds of consumer and professional electronic equipment. 

However, the applicability of RED Art. 3.3(d)(e)(f) also depends on existing directives where the devices may be exempt when they apply to other directives such as: 

• Medical devices under Regulation (EU) 2017/745 and (EU) 2017/746 
• Radio equipment under Regulation (EU) 2018/1139 for civil aviation 
• Radio equipment under Regulation (EU) 2019/2144 for motor vehicles 
• Radio equipment under Directive (EU) 2019/520 for road toll systems 

Accordingly, depending on the use case of the product, it would fall under RED Art. 3.3(d)(e)(f).  

RED Art. 3.3(d)(e)(f) addresses devices connected directly or indirectly. It would, however, depend on the use case and any additional supporting applicable directives. The hub/gateway would be the focus of RED compliance in this instance, as would the connected device.

Products must comply with the regulations and directives in force when they’re manufactured and the Declaration of Conformity (DoC) is issued, meaning existing stock of pre-RED Art. 3.3 (d)(e)(f) RED-compliant devices comply. However, it is still in the manufacturer’s best interest to provide secure products to the market. For detailed explanations, please refer to the European Commission Blue Guide.

RED Art. 3.3 (d)(e)(f) will align with the existing European Commission rules for compliance as described in the Blue Guide. You can secure an evaluation through a Notified Body or with a self-assessment against harmonized standards EN 18031-1, -2 and -3. Industrial and consumer IoT devices fall within the scope of RED Art. 3.3(d)(e)(f).

Yes, these devices will likely be in the scope of RED Art. 3.3(d)(e)(f). According to the Commission Delegated Regulation (EU) 2022/30, Article 3.3(d) will apply to all internet-connected radio equipment, with some exceptions for products that have other regulations. Wireless routers and access points will be in the scope of RED Art. 3.3(d)(e)(f).

No, medical devices are not within the scope of RED Art. 3.3(d)(e)(f). See: Commission Delegated Regulation (EU) 2022/30 of Oct. 29, 2021, Article 2: “By way of derogation from Article 1, the essential requirements set out in Article 3(3), points (d), (e) and (f), of Directive 2014/53/EU shall not apply to radio equipment to which either of the following Union legislation also applies:

(a) Regulation (EU) 2017/745 (Medical Device Regulation);

(b) Regulation (EU) 2017/746 (In vitro diagnostic medical devices (IVD))”

Products must comply with the regulations and directives in force upon manufacture and issuance of the DoC, meaning existing stock of pre-RED Art. 3.3(d)(e)(f) RED-compliant devices should be fine. For detailed explanations, please refer to the European Commission Blue Guide.

Yes, Product A would be in scope. Article 1 of Delegated Act 2022/30 states that it “shall apply to any radio equipment that can communicate itself over the internet, whether it communicates directly or via any other equipment.” Product A communicates with the internet via Product B and would therefore be in scope.

Products must comply with the regulations and directives in force upon manufacture and issuance of the DoC, meaning existing stock of pre-RED Art. 3.3(d)(e)(f)-compliant devices should be fine. For detailed explanations, please refer to the European Commission Blue Guide.

Yes, RED Art. 3.3(d) applies to internet-connected products to ensure that they do not negatively affect the network. A connected printer would need to comply with Art. 3.3(d), and Article 3.3(e) applies to radio products that process personal, traffic or location data.

A printer is likely to process personal data, even if only temporarily; therefore, Article 3.3(e) would also apply.

No, RED Art. 3.3(d)(e)(f) applies to products regardless of the data’s level of sensitivity.

RED Art. 3.3(d)(e)(f) applies to network-connected radio devices. This definition is broader than consumer IoT and may include industrial and commercial devices, as well as those using short-range communications such as Wi-Fi, Bluetooth and Zigbee.